Dashboards not using System Proxy

manikya · February 18, 2022, 4:55pm

Hello there,
I am trying to connect to Open ID auth in Dashboards but it not connecting to IDp and connection is getting timeout. Found a solution for same in Kibana is there some setting like that also present here

Thanks for the help in advance

Anthony · February 21, 2022, 9:41am

@manikya
What IDp are you using, also area you able to provide config.yaml and dashboards.yaml file? Redact any sensitive details if necessary

manikya · February 21, 2022, 11:31am

I am using my corporate IDp for the SSO which is behind proxy. I have setup the proxy in jvm.options for Opensearch and also in my ubuntu machine in system variable. When I send the IDp auth token to opensearch I am able to get response.

Dashboard config file-
opensearch.hosts: [“http://localhost:9200”]
opensearch.ssl.verificationMode: none
opensearch.username: “kibanaserver”
opensearch.password: “kibanaserver”
opensearch.requestHeadersWhitelist: [ authorization,securitytenant ]

opensearch_security.multitenancy.enabled: true
opensearch_security.multitenancy.tenants.preferred: [“Global”, “Private”]
opensearch_security.readonly_mode.roles: [“kibana_read_only”]

Use this setting if you are running kibana without https

server.host: “0.0.0.0”
server.basePath: “/dashboard”
server.rewriteBasePath: true

Enable OpenID authentication

#opensearch_security.auth.type: “openid”

The IdP metadata endpoint

opensearch_security.openid.connect_url: “IDP Well Known Endpoint”

The ID of the OpenID Connect client in your IdP

opensearch_security.openid.client_id: “<client -id>”

The client secret of the OpenID Connect client

opensearch_security.openid.client_secret: “client-secret”

opensearch_security.openid.scope: “openid email profile”
opensearch_security.openid.base_redirect_url: “<redirect - URI>”

Anthony · February 21, 2022, 3:00pm

@manikya
Can you provide the config.yml?
Also, is below line suppose to be commented out?
#opensearch_security.auth.type: “openid”

manikya · February 21, 2022, 3:12pm

#opensearch_security.auth.type: “openid” ← Not supposed to be commented out.

Config.yml file which I am using

_meta:
type: “config”
config_version: 2

config:

dynamic:
# Set filtered_alias_mode to ‘disallow’ to forbid more than 2 filtered aliases per index
# Set filtered_alias_mode to ‘warn’ to allow more than 2 filtered aliases per index but warns about it (default)
# Set filtered_alias_mode to ‘nowarn’ to allow more than 2 filtered aliases per index silently
#filtered_alias_mode: warn
#do_not_fail_on_forbidden: false
#kibana:
# Kibana multitenancy
#multitenancy_enabled: true
#server_username: kibanaserver
#index: ‘.kibana’
http:
anonymous_auth_enabled: false
xff:
enabled: false
#internalProxies: ‘192.168.0.10|192.168.0.11’ # regex pattern
internalProxies: ‘.*’ # trust all internal proxies, regex pattern
#remoteIpHeader: ‘x-forwarded-for’
###### see Pattern (Java Platform SE 7 ) for regex help
###### more information about XFF X-Forwarded-For - Wikipedia
###### and here RFC 7239 - Forwarded HTTP Extension
###### and Apache Tomcat 8 Configuration Reference (8.0.53) - The Valve Component
authc:
openid_auth_domain:
http_enabled: true
transport_enabled: true
order: 1
http_authenticator:
type: openid
challenge: false
config:
subject_key: display_name
roles_key: roles
openid_connect_url:
authentication_backend:
type: noop
basic_internal_auth_domain:
description: “Authenticate via HTTP Basic against internal users database”
http_enabled: true
transport_enabled: true
order: 0
http_authenticator:
type: basic
challenge: false
authentication_backend:
type: internal

Anthony · February 23, 2022, 11:10am

@manikya
The first link you posted (xpack.fleet.registry) seems to be for reaching the Elastic Package manager registry behind a proxy.

There is no additional configuration needed to to make Opensearch work.

Therefore I would focus on the config, did you remove the # from the below:
#opensearch_security.auth.type: “openid”

Can you also confirm openid_connect_url in config.yml is filled in.

Also, can you copy the same value from openid_connect_url to dashboards.yml under:

opensearch_security.openid.connect_url:

manikya · February 24, 2022, 5:41am

@Anthony
I have uncommented this line-> #opensearch_security.auth.type: “openid” from opensearch dashboard config
And it is same which is filled in config.yml → openid_connect_url

My opensearch is connecting to openID servers because I set -Dhttp.proxyHost and -Dhttp.proxyPort

Is there any same settings for Opensearch Dashboards

Anthony · February 24, 2022, 8:33am

@manikya I think that setting is only for Elastic Agent setup. According to the docs at least.

I would recommend to remove those settings and focus on the rest of the config.

sastorsl · February 26, 2022, 9:51am

The problem as I understand it is that OpenSearch Dashboards for OP is installed in environment where you require an HTTP/HTTPS Proxy to connect to the outside world.

Last time I researched this OpenSearch Dashboards does not support setting a proxy, even if the underlying software does.

I went ahead and created an issue on this: Support httpsProxy in OpenSearch Dashboards for OIDC support · Issue #911 · opensearch-project/security-dashboards-plugin · GitHub

The workaround we used was to use netcat locally and setup a host alias to make all requests to our OIDC vendor go through our proxy. It’s kind of “dirty”, but works.

Topic		Replies	Views
I want to configure opensearch dashboards behind a reverse proxy, that will do the SSL authentication for me Security	12	2919	August 31, 2023
Access to OIDC IdP through proxy is not possible Security troubleshoot	7	827	February 17, 2022
How to configure session timeout in kibana with using openid for SSO Security troubleshoot	8	2605	June 23, 2022
Opensearch Dashboards Returning 500 when logout using Dex OpenSearch Dashboards discuss , troubleshoot	0	835	May 12, 2022
Unauthorized error 401 while accessing app using sso oidc OpenSearch security-issue	7	38	December 10, 2024